Hands-on: McAfee Rootkit Detective

McAfee has released a new free security tool that's meant to help identify rootkits, a type of stealth technology used by some malware writers to hide their creations on your PC.

By
Erik Larkin
| 31 Jul 2007

McAfee has released a new free security tool that's meant to help identify rootkits, a type of stealth technology used by some malware writers to hide their creations on your PC.

When I downloaded and installed the program today, it quickly became clear that the program can be a useful diagnostic tool for experts, but it's not something that someone without a whole lot of specialised technical knowledge will get much out of. As McAfee's download page states, "McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support."

I'll qualify that to say that you don't need to be an expert to use it to gather information - but you definitely don't want to take any action based on what it finds unless you really know what you're doing. Rootkit Detective found many things in its scan of my system, but I'm fairly sure none of them were harmful.

There is an easy option within the software to submit hidden files the program finds to McAfee. I just sent off one such submission. If the company is willing to analyse user submissions from their free software, it could be a way to get some good expert advice.

If you want to check it out, and have Windows XP, 2000, 2000 Server or 2003 Server, start by grabbing the tiny, 1.4MB zip file from McAfee. That file contains a readme and an executable. You don't need to install anything; just unzip the executable somewhere and double-click it.

Before you scan, click the Settings button and choose a location for the scan log. Then hit the Scan button to kick things off. Getting the results took about 5 minutes on my system.

However, making sense of those results was nowhere near as quick and easy. You can choose from five display options: View hidden processes and files, View hidden registry keys/values, View hooked services, View hooked imports/exports, View all processes. But it's highly technical data, with no clues as to whether a hidden file or process might be a rootkit or part of a legit application.

It's also hard to read the information in the non-resizable program window. It's much easier to read the data in the scan log, which will sit as a .txt file in the location you chose before the scan.

If you're sure something is malicious, you can choose to rename files, delete registry entries or terminate processes. If you're not sure but are suspicious, you can select a file (and only for files) using the check-box next to it and then clicking the Submit button.

In that Submit window, enter your email address and anything you might know or suspect about the file, and then click Send. I'll frankly be somewhat impressed if McAfee responds to the submission with any sort of real analysis, given that the program is free.

If you are worried that you might have a malware infection that your antivirus program can't find, one great option is HijackThis, recently bought by Trend Micro. Like McAfee's new program, HijackThis delivers a bunch of highly technical diagnostic data.

But there's a helpful online community willing to take a look at the program's log files and help you figure out if you do have a problem. Take a look at our visual guide on using HijackThis and getting its data to that community.